Strata Copilot
    Common Services: Identity and Access
    : SCIM
    Focus
    Download PDF
    Focus
    1. Home
    2. Common Services
    3. Common Services: Identity and Access
    4. Manage Third-Party Identity Provider Integrations Through Common Services
    5. SCIM
    Download PDF

    Common Services: Identity and Access

    SCIM

    Table of Contents

    SCIM

    Learn how to integrate a SCIM with Strata Cloud Manager for automated user provisioning, streamlined identity management, and enhanced security compliance across your deployment.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • IAM role of Superuser
    • SailPoint license
    • OCI License
    Integrating a third-party System for Cross-Domain Identity Management (SCIM) enables organizations to streamline identity and access management for Strata Cloud Manager. By connecting an external identity provider such as SailPoint and Oracle Cloud Infrastructure (OCI), SCIM automates user provisioning, deprovisioning, and access control, establishing a centralized and consistent approach to identity lifecycle management. This integration reduces manual administrative effort, helps enforce uniform access policies, and ensures that user and access information remains accurate and up to date across connected systems.
    To set up an integration with a third-party SCIM, you configure a Tenant Service Group (TSG) and service account in your system, followed by setting up the SCIM connector in the third-party provider. For those seeking maximum control and security, optional features like SCIM-only mode ensure that all Access Management changes occur exclusively through the SCIM connector.
    Supported SCIM Providers
    Strata Cloud Manager supports integration with the following SCIM providers:
    • Sailpoint
    • OCI

    Sailpoint

    Contains instructions to setup sailpoint SCIM.
    1. Set up Strata Cloud Manager to use a SCIM to manage identity access.
      1. Create a TSG (Tenant Service Group).
      2. Create a Service Account with a Superuser role inside the TSG you created.
        Record the client credentials for later use.
      3. Click Change Authorization Source.
      4. Enable SCIM and then Save to apply your changes.
        After the SCIM integration is enabled for Strata Cloud Manager, all access management changes will only be allowed through the SCIM provider.
    2. Set up the SCIM to manage access for Strata Cloud Manager.
      For the most up-to-date instructions on managing a SCIM Connector, see the SailPoint documentation.
      1. Import the XML file containing the Strata Cloud Manager SCIM Connector configuration into Sailpoint (this XML file will be provided by your account representative).
        After importing the XML, the application will display under the Application Definition.
      2. Select the application and enter the OAuth2 client credentials from the service account you created in Strata Cloud Manager.
      3. Set up Aggregation Tasks in SailPoint for Accounts and Groups for the SCIM Connector.
        This ensures that all relevant identity data from Strata Cloud Manager is efficiently integrated into SailPoint, enabling better identity governance, streamlined access management, and enhanced security.

    OCI

    Enhance identity management in SCM with an advanced SCIM integration for OCI, automating user and group provisioning.
    This procedure outlines the steps to configure SCIM-based user and group provisioning between OCI and Strata Cloud Manager. By automating identity and access management, you can enhance security and improve operational efficiency within your Strata Cloud Manager environment. Follow these steps to set up the integration:
    1. Set up Strata Cloud Manager to use SCIM-based provisioning for identity access management.
      1. Create a TSG.
      2. Create a Service Account with a Superuser role inside the TSG you created.
        Save the client credentials for later use.
        Image6
      3. Click Change Authorization Source.
        Image8
      4. Enable SCIM and then Save to apply your changes.
        Image5
        After SCIM integration is enabled for Strata Cloud Manager, all access management changes are permitted only through the configured third-party IdP using the SCIM protocol.
        Image4
    2. Configure OCI to provision users and groups to Strata Cloud Manager using the integrated application in OCI to connect with Strata Cloud Manager.
      For the most up-to-date instructions on configuring SCIM provisioning in OCI, refer to the OCI documentation.
      1. Log in to Oracle Cloud Infrastructure (OCI).
      2. Select Identity & SecurityDomains and then select your domain where your users and groups reside.
        The OCI \
      3. Select Integrated applicationsAdd ApplicationApplication Catalog.
      4. Search and select the appropriate application template, for example, a custom SCIM application or a generic enterprise application.
      5. Configure the provisioning settings for the application.
        • Select the provisioning method as Client Credentials.
        • Specify:
          • Host Name - Your Strata Cloud Manager API endpoint.
          • Base URL - Specify /iam/v1/scim.
          • Client ID - The service account ID obtained from Strata Cloud Manager (see STEP 1.ii).
          • Client Secret - The bearer token generated for the service account in Strata Cloud Manager (see STEP 1.ii).
          • Authentication Server URL - Your Strata Cloud Manager authentication endpoint (https://auth.paloaltonetworks.com/am/oauth2/access_token).
        Configuring the connectivity details for the SCIM application in OCI.
      6. Test Connectivity to verify that OCI can successfully establish a connection and authenticate with the Strata Cloud Manager SCIM endpoint.
      7. Select Refresh Application Data to retrieve available Strata Cloud Manager access policies (roles or groups) from Strata Cloud Manager.
      8. Select ImportRun Import to import existing users and groups from Strata Cloud Manager into OCI.
      9. Assign Users and Access Policies in OCI for Strata Cloud Manager Synchronization.
        1. Select UsersAssign Users and then select the user or users you wish to provision to Strata Cloud Manager.
          Selecting a user to assign to the SCIM application in OCI.
          Figure 6: Selecting a user to assign to the SCIM application in OCI.
        2. In the assignment details, select Groups and select the Strata Cloud Manager access policies you want to apply to these users.
          Adding SCM access policies (groups) to a user in OCI.
        3. Assign Users to apply the associated Strata Cloud Manager access policies to the user.
          Note: Ensure that these users email domains are verified by the Strata Cloud Manager Identity Federation.
    3. Verify user provisioning in Strata Cloud Manager.
      1. Log in to Strata Cloud Manager.
      2. Navigate to Identity & Access ManagementUsers.
      3. Search for the user provisioned in the previous step.
      4. Verify that the user account exists and has the correct group assignments.

    © 2026 Palo Alto Networks, Inc. All rights reserved.